summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/api/endpoints/admin
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/server/api/endpoints/admin')
-rw-r--r--packages/backend/src/server/api/endpoints/admin/accounts/create.ts30
1 files changed, 19 insertions, 11 deletions
diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index a7e8a3b018..3cb4029780 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -3,16 +3,15 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
-import { Inject, Injectable } from '@nestjs/common';
-import { IsNull } from 'typeorm';
+import { Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
-import type { UsersRepository } from '@/models/_.js';
+import { MiUser } from '@/models/_.js';
import { SignupService } from '@/core/SignupService.js';
import { UserEntityService } from '@/core/entities/UserEntityService.js';
import { InstanceActorService } from '@/core/InstanceActorService.js';
import { localUsernameSchema, passwordSchema } from '@/models/User.js';
-import { DI } from '@/di-symbols.js';
import { Packed } from '@/misc/json-schema.js';
+import { RoleService } from '@/core/RoleService.js';
export const meta = {
tags: ['admin'],
@@ -42,22 +41,21 @@ export const paramDef = {
@Injectable()
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
constructor(
- @Inject(DI.usersRepository)
- private usersRepository: UsersRepository,
-
+ private roleService: RoleService,
private userEntityService: UserEntityService,
private signupService: SignupService,
private instanceActorService: InstanceActorService,
) {
- super(meta, paramDef, async (ps, _me, token) => {
- const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null;
- const realUsers = await this.instanceActorService.realLocalUsersPresent();
- if ((realUsers && !me?.isRoot) || token !== null) throw new Error('access denied');
+ super(meta, paramDef, async (ps, _me) => {
+ if (!await this.canCreate(_me)) {
+ throw new Error('access denied');
+ }
const { account, secret } = await this.signupService.signup({
username: ps.username,
password: ps.password,
ignorePreservedUsernames: true,
+ approved: true,
});
const res = await this.userEntityService.pack(account, account, {
@@ -70,4 +68,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
return res;
});
}
+
+ private async canCreate(me: MiUser | null): Promise<boolean> {
+ // Allow the first user to be created without authentication, as part of normal setup flow
+ if (!me) {
+ return !await this.instanceActorService.realLocalUsersPresent();
+ }
+
+ // Administrators (including root) can always create users
+ return await this.roleService.isAdministrator(me);
+ }
}
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 22:35:11 +0000